0

I've been reverse-engineering an Android app for a set of Bluetooth headphones, and my goal is to find the keys to decrypt the firmware. I obtained the firmware by intercepting the traffic between the device and the server.

In the code, I've found some parts that look like they should handle decryption, but it doesn't seem like these methods are actually being used in the application. I'm having difficulty tracking down the keys or identifying where and how they are applied to decrypt the firmware.

Here is the code I found that seems to handle the decryption process, but it doesn't appear to be utilized within the app.

    public final long k(k6.o oVar) {
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
            try {
                cipher.init(2, new SecretKeySpec(this.f20556b, "AES"), new IvParameterSpec(this.f20557c));
                k6.m mVar = new k6.m(this.f20555a, oVar);
                this.f20558d = new CipherInputStream(mVar, cipher);
                mVar.a();
                return -1L;
            } catch (InvalidAlgorithmParameterException | InvalidKeyException e10) {
                throw new RuntimeException(e10);
            }
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e11) {
            throw new RuntimeException(e11);
        }
    }    public final long k(k6.o oVar) {
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
            try {
                cipher.init(2, new SecretKeySpec(this.f20556b, "AES"), new IvParameterSpec(this.f20557c));
                k6.m mVar = new k6.m(this.f20555a, oVar);
                this.f20558d = new CipherInputStream(mVar, cipher);
                mVar.a();
                return -1L;
            } catch (InvalidAlgorithmParameterException | InvalidKeyException e10) {
                throw new RuntimeException(e10);
            }
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e11) {
            throw new RuntimeException(e11);
        }
    }

I've been using Frida to hook methods and classes related to encryption, but despite finding relevant classes for AES encryption (like com.android.org.conscrypt.OpenSSLEvpCipherAES$AES$CTR and com.android.org.conscrypt.OpenSSLAeadCipherAES$GCM), I can't seem to find where the actual decryption keys are being used or how the firmware is decrypted.

If anyone has any insights on how I can track the usage of keys or what I might be missing, I’d really appreciate any help or suggestions!

Thanks in advance!! :)

Improve this question
6
  • Are you sure the firmware is decrypted by the app and not by the Bluetooth device itself? Commented Dec 15, 2024 at 14:41
  • I intercepted the server request using Wireshark, and in one of the packets, I obtained what appears to be the encrypted firmware. However, I can't confirm whether the decryption is performed by the mobile application or the Bluetooth device. I noticed that the application uses native libraries such as libRtkAesJni.so, which suggests that it might handle the decryption. However, I haven’t been able to hook into this library with Frida to analyze its behavior or view the decrypted content. How can I determine if the decryption is performed by the application or the device? Thanks for your reply Commented Dec 15, 2024 at 18:22
  • You can capture all the data sent via Bluetooth so you can see the data is different than the one received from the web server. Commented Dec 16, 2024 at 10:27
  • Thank you so much! From what I’ve seen online, it seems possible to analyze the traffic by enabling the Bluetooth HCI Snoop Log feature in Android. I’ll definitely give it a try. Thanks again!! :) Commented Dec 17, 2024 at 10:37
  • There are also Frida Scripts available dumping all the BLE trafffic from the hooked app to any BLE device. Commented Dec 17, 2024 at 14:28

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.